Home page logo
/

dailydave logo Dailydave mailing list archives

Re: Better, more FLAME-like, penetration testing
From: Daniel Clemens <daniel.clemens () packetninjas net>
Date: Fri, 27 Sep 2013 09:34:00 -0500


On Sep 26, 2013, at 2:41 PM, Dave Aitel wrote:

You use your exploit framework of choice to phish a few people with a PDF exploit. Your exploit is written by a 
professional team and is highly reliable, and you know it triggered because it downloaded your trojan from your 
watering-hole website, but you never got a callback. This is one of those features of modern well-run networks. It's 
sometimes easy to get INTO the network, but hard to get OUT of the network. INNUENDO is an injectable DLL, so not 
easy to catch even by modern AV/HIPS.

By design INNUENDO is highly configurable at build-time, and hot-patchable at runtime using blocks of code that are 
strongly signed and encrypted. One of the core features is that there are channels into and out of the core message 
pumps, and these are themselves hot-swappable. So for PDF exploits, one of the channels you'll use is a PDF sniffer 
that sits in the PDF reader and looks at all new PDF's for signed messages from the C&C. It can then use these to 
update itself with, say, a bi-directional ICMP channel, or a Twitter/IMGUR channel (slightly higher bandwidth). Or a 
local exploit, of course. 

One of the main things we're moving into here is a complete break from the concept of tunneling connections into a 
network. Messages move throughout the network and get routed as they want to. INNUENDO handles interruptions in 
connectivity in a completely reliable way - if you switch to DNS tunneling halfway through a big file transfer 
because they've blocked your HTTPS callback, then so be it.

In any case, if you want to be in on the early testing, or want to budget for it in the new FY, let me know!

Awesome, sounds like http://www.youtube.com/watch?v=F3hi5nsy1lE , just not as great on payload protection. 


Daniel Uriah Clemens

O +1  202 747 0043 Ext. 7001
M +1  205 567 6850
F  +1  205 449 4731

Packet Ninjas LLC
265 Riverchase Pkwy E. Suite 103
Hoover, AL 35244

"Moments of Sorrow are moments of sobriety"




_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]